pre-GDB - Traceability & Isolation WG

Name: pre-GDB - Traceability & Isolation WG
Start: 2016-05-10T14:00:00+02:00
End: 2016-05-10T17:00:00+02:00
Location: CERN

Tuesday 10 May 2016, 14:00 → 17:00 Europe/Zurich

31/S-028 (CERN)

31/S-028

CERN

Show room on map

Description

Initial meeting of Traceability & Isolation Working Group

Hide

# VO status:
* ALICE:
+ Has its own logging infrastructure
+ Has its own suspension infrastructure
- User theoretically capable of attacking the pilot (no separation) and stealing its credentials
+ Working on cgroups/containers

* ATLAS:
+ Has its own logging infrastructure
+ No multi-user payload: either a single payload (default) or multiple of the same user
+ Pilot's credentials are only kept in memory
- User theoretically capable of attacking the pilot (no separation)
- Enormous ammount of logs being produced, processing/search them is hard

* CMS:
* Fully using glexec for:
   + Isolating the user payload from the pilot job
   + Logging (mapping IP/time -> user)
   + Emergency suspension
* No independant logging infrastructure

* LCHb:
* On the grid:
   - user theoretically capable of attacking the pilot (no separation) and stealing its credentials
   * glexec supported but not used
* Inside VMs:
   + Root/pilot/user jobs running as different user ID (replace glexec with sudo)
   + Logs can be sent to the site, if requested
* Would like to have only one implementation for both grid & cloud. Namespaces looking promising

# Update from OSG Traceability and Isolation:
* "If you add all the existing policy and technical requirements together, you get today's glexec."
- Traditional UID separation difficult:
- Need SUID binary to change uid
- Persistant shared storage (e.g. NFS) need to be cleaned
- Containers (namespaces) don't seem mature enough, esp. for shared storage
* Explored several solutions to keep user isolation without user certificates: http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1218

# Discussions:
* Brian Bockelman said that Centos 7.2 seems to still be missing some unpriviledged namespace support
* Tim Bell commented that some namespace feature are only available via a kernel option: user_namespace.enable=1
* Romain Wartel reminded the participants of the existance of recommendations for logging: https://edms.cern.ch/document/428037/3 and https://edms.cern.ch/document/793208/1

# Actions: arising from discussions:
* ALICE, ATLAS, LHCb: compare the logs they produce to these recommendations

# Next meeting
To be decided later via a Doodle

There are minutes attached to this event. Show them.

- 14:00 → 14:30
  
  Introduction 30m
  
  Speaker: Vincent Brillault (CERN)
  
  PreGDB_201605-Traceability_Isolation_WG.pdf
  
  PreGDB_201605-Traceability_Isolation_WG.pptx
- 14:30 → 15:30
  Current status of VO frameworks 1h
  - ALICE 15m
    
    Speaker: Miguel Martinez Pedreira (CERN)
    
    Traceability.pdf
  - ATLAS 15m
    
    Speakers: Alessandra Forti (University of Manchester (GB)), Robert Ball (University of Michigan (US))
    
    20160510_pre-GDB_traceability.pdf
  - CMS 15m
    
    Speaker: Diego Da Silva Gomes (Fermi National Accelerator Lab. (US))
    
    160509_preGDB_CMS.pdf
  - LHCb 15m
    
    Speaker: Andrew McNab (University of Manchester)
    
    20160510-mcnab-lhcb-iso-trace.pdf
- 15:30 → 16:00
  
  Traceability evolutions in OSG 30m
  
  Speaker: Dave Dykstra (Fermi National Accelerator Lab. (US))
  
  WLCGTraceability20160510.pdf
- 16:00 → 17:00
  
  Discussions 1h

Choose timezone

pre-GDB - Traceability & Isolation WG

31/S-028

CERN